You should have noticed that most multimeters come with a function to test BJT transistors, but none has a function to test the today’s more common MOSFETs

Here are the steps to test an N-CHANNEL mosfet with just a multimeter ( applies to P-CHANNEL too, just swap + and – ), of course the MOSFET has to be disconnected completely.

Make sure you are not wearing shoes and so that you don’t have any electrostatic charge, FETs are very delicate to ESD.

Now touch with your finger both Gate and Source terminals, this will make sure that the gate is uncharged

Put your multimeter in diode/continuity test mode ( beep mode )

Touch with the negative lead the source pin, and with positive lead the drain, it should not beep and show > 999 ohm, if there’s current flowing, after making sure again that gate is discharged, the MOSFET is damaged.

Touch with the negative lead the source pin and with positive lead the gate pin, no current should flow, if current flows it means that the oxide layer between gate and substrate or N junctions has been broken by a gate-source overvoltage or ESD, trash the mosfet if that is the case.

Now WITHOUT touching the gate terminal at all, touch the drain pin with positive lead and source pin with negative lead, you should get the multimeter to beep and a very low resistance reading

Finally, before trashing any mosfets, make sure that the method works with most of them using your multimeter ( there may be some multimeters that use too low voltage in continuity test mode and thus not reaching Vt threshold of the mosfet ).
To avoid ESD damage always store your MOSFETS with all pins joined together using aluminum foil or copper strands.

The SITECOM WL-326 is an ethernet+3g router featuring 300 Mbps wireless and an usb port to connect a 3G modem.

This device is not officially supported by OpenWRT and not very common, so there’s basically zero info on it at the moment.

First thing is to find out which SoC it uses, since it is covered by an heat spreader, best idea that does not involve the risk of destroying the board is connecting an USB-TTL adapter to the serial port which is visible on the photos.

Luckly contrary to most cases, the PCB has already written on it which pins are RX,TX,GND, so it’s just matter of soldering a female o male strip header, and connect it to the adapter.

Serial port settings are 57600 8N1, and when connecting the power to the device, it’s immediately visible that it is a rebrand of another device, the ESR-6670 http://wiki.openwrt.org/toh/engenius/esr6670.
Still no luck, it’s not supported either, but at least now we know what SoC it uses, which is Ralink 3052.

Now the tricky part, bootloader only shows one option, contrary to most supported routers

1

2

3

4

5

6

7

8

9

Board:Ralink APSoC DRAM:32MB1*32MB

============================================

ASIC3052_MP2(Port5&lt;-&gt;None)

Product Name:ESR-6670

SDRAM CAS=3(d1835272)

============================================

Please choose the operation:

1:Load system code toSDRAM via TFTP.

So the only option is just to try it, worst case scenario if it goes wrong we’ll have to reverse engineer the (likely) jtag connector visible on the photo.

This command will ask you some parameters, first one is the router IP, just hit enter ( leaving it as it is )
second one is the TFTP server IP, a default one will be shown.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Board:Ralink APSoC DRAM:32MB1*32MB

============================================

ASIC3052_MP2(Port5&lt;-&gt;None)

Product Name:ESR-6670

SDRAM CAS=3(d1835272)

============================================

Please choose the operation:

1:Load system code toSDRAM via TFTP.

1:System Load Linux toSDRAM via TFTP.

Please Input newones/orCtrl-Ctodiscard

Input device IP(192.168.99.9)==:

Input server IP(192.168.99.8)==:

Input Linux Kernel filename(40.7z)==:rd.bin

Using Eth0 device

TFTP from server192.168.99.8;our IP address is192.168.99.9

Filename'a.dlf'.

Loading:*

ArpTimeoutCheck

Got ARP REPLY,set server/gtwy eth addr(54:42:49:5f:d3:1b)

Got it

T#

first block received

Now connect an ethernet cable between a LAN port and your machine and ifconfig it to the router ip address

ifconfig eth0 up 192.168.99.8

or something like that.

Now you can hit enter, and then it will ask the linux kernel filename, which is WRONG, that’s not the linux kernel filename but the uImage filename.

Now the hard choice, finding a similiar enough device to flash this one with, and cross finger that it does not blow up, i’ve choosen the wr512 because it has too an usb port and an ethernet so, it’s worth trying.

Now, start a tftp server, quickiest way without spending 15 mins configuring with xinetd or crap like that is

dnsmasq –enable-tftp –tftp-root=/home/dev -d

If it fails because of port already in use, append -p 3244

If it started succesfully, enter the choosen filename ( rd.bin or whatever it is ) on the serial console and hit enter, now it should flash it and reboot, but you are not done yet, because this is an image designed to work only on RAM , so any config change will NOT be saved.

But since you should have an openwrt console now and the LAN ports configured to 192.168.1.1, ifconfig your machine’s interface to 192.168.1.2.

It will take like a min or two and then reboot automatically, after the reboot you will have the router at 192.168.1.1 again.

Now login to LuCI interface, go to Network->Switch and you should see two vlans configured , vlan1 which is lan configured with the first port untagged and vlan2 which is wan configured to some other port untagged.

Now change on vlan1 the first port ( left to right ) , to off , and on vlan2 the first port ( same as vlan1 ) to untagged, and click save & apply.
That’s because the router of which we flashed the firmware has the switch connected differently.

That’s it now you are done , you can configure wireless and other stuff, just forget about 3G unless you replace flash memory, because it is likely that there’s not enough space on flash ( unless you build a version without LuCI and with 3g and then configure with CLI ).

Update: It’s possible to install 3g packages and still have 52 kbytes free, not tested because i don’t have an USB 3g modem handy

SVP in a first pass calculates the motion vectors for the frame ( the direction and velocity that every object in the video has moved with ), and then on the second pass it generates intermediate frames.
With that technique it can generate the intermediate frames between each frame of the original video, like when going from 24fps to 60fps.

As you have seen SVP is only for windows and there’s not any guide to easily use it under Linux, but it can be used under linux too and it’s not much difficult.

!!!IMPORTANT : The method shown here does not work with ubuntu because of some unknown wine build bug

In these days i’ve worked on how to create a system that allows me to turn on and off lights or appliances at home with minimal cost and complexity, and there it is: https://github.com/tizbac/IoTManager

Each node (ESP-01 ESP8266) with nodemcu firmware and the init.lua script from esp8266 folder of my repository has two outputs and can control two appliances.
A node has commands to retrieve name , unique identifier and current state, and to set the state, all that happens via UDP packet.

At first i tried, especially for discovery purposes to use UDP broadcast packets, but it seems that the module has some bug that makes the reception of broadcasts very unreliable, so at last i resorted to try to send a command to query status for each ip address specified in the subnet, like for 192.168.1.0/24, it would be 192.168.1.1 to 192.168.1.254.

The server which runs on an ARM board like a raspberry or a beaglebone takes care of the authentication of the clients from the internet ( the ESP8266 modules have no authentication , they rely on the safety of the network, so avoid passwords like “password” or “0123456789” ).

When first started the server creates a self signed certificate to use with HTTPS and a random password, then when the user connects to the webserver from a local ip address a qrcode is displayed to configure the android application.

The QR Code contains the public ip address , the port , the password and the sha1 fingerprint of the certificate, so that even if it is self-signed, it can be verified by the application to prevent man in the middle attacks.

The servers also takes care of enforcing state on the nodes, especially when a packet is lost or when the node for some reason loses power, at each discovery the state is compared and if not equal it will be resent again until the node status matches.

That’s it, with barely 200 lines of python and a trivial android app you can safely control your house from where you want.

I’m posting this pinout, because it can’t be easily found, and using a multimeter it takes a lot to figure out, like it did for me

MB Connector

Panel back connector

Description

1

2

3.3VDD

2

4

EDID eeprom power ( 3.3V)

3

6

EDID eeprom CLK

4

7

EDID eeprom DATA

5

28

VDD_EN ( Active high, 3.3v)

6

30

VLED_EN (Active high, 3.3v)

7

22

GND

8

8

LVDS Channel 0 –

9

9

LVDS Channel 0 +

10

11

LVDS Channel 1 –

11

12

LVDS Channel 1 +

12

14

LVDS Channel 2 –

13

15

LVDS Channel 2 +

14

22

GND

15

17

LVDS Clock –

16

18

LVDS Clock +

17

1

GND

18

5

Backlight PWM ADJ

19

25

Led VCC ( 5V )

20

24

Led VCC ( 5V )

If you are planning to reuse the panel with an MT6820 board, set the panel voltage to 3.3volts , connect 3.3VDD and VDD_EN together, and connect all the gnd pins to gnd too.
About the backlight, for me it worked leaving VLED_EN open ( unconnected ) and ADJ connected to the BL pin of the mt6820 ( brightness , unless i’ve swapped for error the pins , does not seem to work )

The whole thing will draw about 1A @ 5V, so if you get an Y cable with a switch ( to prevent the mt6820 from powering on too early ), you can run it from two usb ports

The correct jumper configuration for the board is with only A closed , and all other open

What you need

Another access point running OpenWRT and supporting both multi-ssid and 4 address mode ( or only 4 address mode if you want wifi->ethernet bridge )

Setting up the main access point

First of all , you need to setup the main access point , to do that , once openwrt is up and running, login to the web interface and go to “Wifi” section

Then , on the Wifi page , if needed remove any existing SSID and then add a new one

Once you have done here, click save and apply to create the new access point

Setting up the repeater

As with the main access point , login and go to Wifi section, remove any existing SSIDs / Client and then click “Scan”

Once you get the scan results( it can take up to 45 secs ) , select the network you are interested in , and click “Join network”

Once done click submit

When done with changing to client (WDS) and if needed setting up security , click “Save” , not save and apply , not yet

Now you have to create an access point ssid , to do that repeat the steps on the main access point , but when selecting the network , instead of choosing lan , choose repeater or whatever you entered when creating WDS Client interface , and the click Save and Apply and enjoy your openwrt based repeater

In these days between some exercises for a microeconomics exam , i’ve continued to work on reverse engineering the Alcor 698x UFD microcontroller, and i’ve got another poor quality Alcor based flash drive from a friend , so now i’ve an 8 GB one , and a 4 GB one.

I’ve started , with the help of wireshark , usbmon and a virtual machine running windows with USB forwarding by SPICE , reverse engineering the format of the various vendor specific commands that are sent to the flash drive.

But while working on it i’ve encountered a serious problem , the Linux kernel scsi implementation removes the 3 MSBs from the 2nd byte of the SCSI commands , which in our case , breaks various commands , for example , 0x51 directed at LUN 0 , would become 0x11.

The interesting commands now are two: 0x82 and 0x81 , they are used to download and upload configurations to the flash drive.

02: This byte is a checksum of the all bytes before it , if you set it incorrectly , the flash drive will refuse to use the settings, to calculate it , sum all bytes values ( unsigned ) , and then do &0xFF to use only the first eight bits.

I’ve started that work because i want to port AlcorMP utility to Linux and to be able to use custom flash chips with these UFD chips, this utility called AlcorMP allows to do a lot of stuff , from checking flash integrity to programming the usb flash drive into a CD-Rom emulator.

For who is new to that field, these flash drives store configuration data and badblocks on an hidden sector of the flash memowy which normally is not visible by the end user.

To program that sector you have to issue vendor specific SCSI commands, the ones that i’ve found are:
0x9a: Seems to return 0x200 bytes of data still not reverse engineered
0xfa00: Seems to return 0x200 bytes of data too, but this one returns the Flash Chip identification as the first 6 bytes , so it’s something useful.
There’s also 0xf5 that is still unknown

Now the hard part, first thing you will see when you try to figure out where the program takes the flash part.no and vendor, is that there’s no plaintext list with that data, and there’s no compressed data either.
Analyzing it with binwalk gives a very discouraging entropy graph as shown below

flashlist.afl entropy plot using binwalk -E

After some work on the UfdComLib.dll , it turns out that the file flashlist.afl has been encrypted with a block cipher on purpose.

Lucky the program itself ( except LLF.dll that is encrypted too ), is not obfuscated , so it has been relatively easy extracting the encryption algorithm from the program and use it to decode the flashlist.afl .

The function on UfdComLib.dll that gives an huge help locating the decryption code with IDA is the one at 0x100022F0

After studying on it some hours i’ve figured out that sub_10004760 is a function used to inizialize a vector of length 256 ( 0x100 ) with the encryption key that is later used on the caller function.

With HexRays decompiler it’s fairly easy to generate proper C code of these functions and so re-use them.

The file is made of a first 256 byte block , that encrypted using the algorithm above and “ALCORFLASHCFG_SZ” as the key yields other 256 bytes that have to be used as the key for the next 256 byte block inside the file that is the header.

The header contains some useful info like the size of each record , the number of records and what i think to be the version ( 4 ) as follows:

1

2

3

4

5

6

7

8

9

10

11

12

<b>typedef</b><b>struct</b>{

charheaderMagic[16];

intunk1;

intunk2;

intunk3;

intunk4;

intunk5;// 1

intversion;//Confirmed?

intentry_size;// Confirmed?

intentry_count;

}AlcorFlashListHeader;

1

The data after the header is organized in entry_size sized blocks and each one is decrypted using the same key obtained to decrypt the header, but , the first keybyte has to be the record number starting from 0 and the last keybyte has to be the bitwise negation of the record number

This gives us records on which i’m still working to figure out the exact format , but what i’ve defined so far:

1

2

3

4

5

6

<b>typedef</b><b>struct</b>{

unsignedcharvendor[16];

unsignedcharpartno[32];

unsignedcharid[6];

unsignedcharunk1[0xb];

unsignedcharCE;

1

....

1

Other fields still have to be reverse engineered, and they are mandatory to be able to write a program that can reprogram these flash drives.

The complete program that can read the flash list is the following:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

#include &lt;iostream&gt;

#include &lt;stdio.h&gt;

#include &lt;string.h&gt;

#include &lt;stdlib.h&gt;

#define LOBYTE(v) *((unsigned char*)&amp;v)

#pragma pack(push, 1)

<b>typedef</b><b>struct</b>{

charheaderMagic[16];

intunk1;

intunk2;

intunk3;

intunk4;

intunk5;// 1

intversion;//Confirmed?

intentry_size;// Confirmed?

intentry_count;

}AlcorFlashListHeader;

<b>typedef</b><b>struct</b>{

unsignedcharvendor[16];

unsignedcharpartno[32];

unsignedcharid[6];

unsignedcharunk1[0xb];

unsignedcharCE;

/*unsigned char unk2[14];

unsigned char cache_enabled;*/

unsignedcharunk[0x260-(1+0xb)];

}AlcorFlashListEntry;

#pragma pack(pop)

// It seems to be some kind of block cipher using 0x100 ( 256 bytes) blocks

I’ve got that TV to be trashed, because after some hours it won’t turn on anymore, first thing i’ve checked is the power supply which was fine.
The original board is labeled “T.MSD309.B21B”, and apparently it is a chinese universal LVDS LCD driver board.

So i’ve checked on ebay and that board is available , but it costs a lot of money ( 80+ € excl. shipping ) , and since the old one broke almost in new condition, and i’m pretty sure it is software-broken, it’s reasonable to think that the board is flawed and it will break again and again.
Also i couldn’t be sure that the panel was in working condition , so 100 € is too much risky considering that and what said above.

I’ve choosen then, to use an MT6820 board which can be bought from ebay for as low as 6€, it has only VGA input , but it is fine for what i want to use that LCD for.

This board has various options to support most LCD panels, so i’ve tried all of them, and the one that is closest to perfection is the no. 1.
But it isn’t perfect, you will get swapped columns.
While going through various LVDS pinouts i’ve noticed that a group of signals is marked “EVEN” and another group “ODD”, since the number of pixels horizontally is even, it clearly appears to be caused by swapped EVEN and ODD connections.

The glitch caused by swapped EVEN and ODD

When swapping the signals according to the MT6820 pinout, i was very tired and screwed up all the ordering , so i had to find again the correct pinout.
Since the Part.NO of the panel gives 0 results on google , literally, i’ve spotted the lvds controller board chip manufacter on the panel , which is “CMO” , CMO stands for ChiMei Optoelectronics, but it does not longer exist , however , after some more hard search , i’ve figured out that it has been acquired by Innolux, and then i’ve picked the first datasheet of a LED backlit panel 39 inches wide.

After having the right pinout i’ve reassembled the cable and i’ve got to the starting point where columns were swapped.

So the next day, after some rest , i’ve tried again to swap the connections , and it finally works.

Now let get deeper into the details, if you order an MT6820 , you will likely get an LVDS cable that is useless for our work, and a button board that we need instead.

The button board must be connected with the supplied cable even if the pin count does not match, that is because K5 and K6 on the input side are unused.
Make sure that the other input pins and led pins match on the button board.

On the QBell LVDS cable you have to swap all the EVEN pins with ODD pins, to do that , do not cut the wires or do some s**t like that , instead just use some thin object like a needle to extract the contacts from the plastic of the connector on the MT6820 side and swap them all.

Now that you have ( hopefully ) correct LVDS connection, you need to do one more thing , the MT6820 supports only 3.3V and 5V panel , instead at least on this QBell , the panel voltage is 12V , so you have to cut the Red wires ( pins 1,2,3 ) and connect them with the +12V from the power supply( you can see output voltages from the PCB of the power supply , since they are labeled ).

The backlight is not electrically compatible with the MT6820 so you have to just connect both BLON and ADJ pins of the power supply to +5VSB .
The +5V of the MT6820 instead has to be connected on the +5V of the power supply.
To make the power supply power on as soon you plug the TV to the outlet, connect PSON and +5VSB together.

The MT6820 board “installed”

If nothing is wrong you should see “No signal” written in chinese and it should work correctly as a regular PC VGA display.